diff --git a/sys/amd64/amd64/elf_machdep.c b/sys/amd64/amd64/elf_machdep.c index ca07adc..c854ecd 100644 --- a/sys/amd64/amd64/elf_machdep.c +++ b/sys/amd64/amd64/elf_machdep.c @@ -72,7 +72,8 @@ struct sysentvec elf64_freebsd_sysvec = { .sv_setregs = exec_setregs, .sv_fixlimit = NULL, .sv_maxssiz = NULL, - .sv_flags = SV_ABI_FREEBSD | SV_LP64 | SV_SHP | SV_TIMEKEEP, + .sv_flags = SV_ABI_FREEBSD | SV_LP64 | SV_SHP | SV_TIMEKEEP | + SV_ASLR, .sv_set_syscall_retval = cpu_set_syscall_retval, .sv_fetch_syscall_args = cpu_fetch_syscall_args, .sv_syscallnames = syscallnames, diff --git a/sys/arm/arm/elf_machdep.c b/sys/arm/arm/elf_machdep.c index a962ee8..8f14be7 100644 --- a/sys/arm/arm/elf_machdep.c +++ b/sys/arm/arm/elf_machdep.c @@ -75,7 +75,7 @@ struct sysentvec elf32_freebsd_sysvec = { .sv_maxssiz = NULL, .sv_flags = #if __ARM_ARCH >= 6 - SV_SHP | SV_TIMEKEEP | + SV_SHP | SV_TIMEKEEP | SV_ASLR | #endif SV_ABI_FREEBSD | SV_ILP32, .sv_set_syscall_retval = cpu_set_syscall_retval, diff --git a/sys/compat/freebsd32/freebsd32_misc.c b/sys/compat/freebsd32/freebsd32_misc.c index 598bdc5..1291a0a 100644 --- a/sys/compat/freebsd32/freebsd32_misc.c +++ b/sys/compat/freebsd32/freebsd32_misc.c @@ -3039,6 +3039,7 @@ freebsd32_procctl(struct thread *td, struct freebsd32_procctl_args *uap) switch (uap->com) { case PROC_SPROTECT: case PROC_TRACE_CTL: + case PROC_ASLR_CTL: error = copyin(PTRIN(uap->data), &flags, sizeof(flags)); if (error != 0) return (error); @@ -3068,6 +3069,7 @@ freebsd32_procctl(struct thread *td, struct freebsd32_procctl_args *uap) data = &x.rk; break; case PROC_TRACE_STATUS: + case PROC_ASLR_STATUS: data = &flags; break; default: @@ -3086,6 +3088,7 @@ freebsd32_procctl(struct thread *td, struct freebsd32_procctl_args *uap) error = error1; break; case PROC_TRACE_STATUS: + case PROC_ASLR_STATUS: if (error == 0) error = copyout(&flags, uap->data, sizeof(flags)); break; diff --git a/sys/compat/ia32/ia32_sysvec.c b/sys/compat/ia32/ia32_sysvec.c index f201570..abf26a8 100644 --- a/sys/compat/ia32/ia32_sysvec.c +++ b/sys/compat/ia32/ia32_sysvec.c @@ -120,11 +120,9 @@ struct sysentvec ia32_freebsd_sysvec = { .sv_setregs = ia32_setregs, .sv_fixlimit = ia32_fixlimit, .sv_maxssiz = &ia32_maxssiz, - .sv_flags = SV_ABI_FREEBSD | SV_IA32 | SV_ILP32 | + .sv_flags = SV_ABI_FREEBSD | SV_IA32 | SV_ILP32 #ifdef __amd64__ - SV_SHP | SV_TIMEKEEP -#else - 0 + | SV_SHP | SV_TIMEKEEP | SV_ASLR #endif , .sv_set_syscall_retval = ia32_set_syscall_retval, diff --git a/sys/i386/i386/elf_machdep.c b/sys/i386/i386/elf_machdep.c index 3c76ab2..3fa2d09 100644 --- a/sys/i386/i386/elf_machdep.c +++ b/sys/i386/i386/elf_machdep.c @@ -79,7 +79,7 @@ struct sysentvec elf32_freebsd_sysvec = { .sv_fixlimit = NULL, .sv_maxssiz = NULL, .sv_flags = SV_ABI_FREEBSD | SV_IA32 | SV_ILP32 | SV_SHP | - SV_TIMEKEEP, + SV_TIMEKEEP | SV_ASLR, .sv_set_syscall_retval = cpu_set_syscall_retval, .sv_fetch_syscall_args = cpu_fetch_syscall_args, .sv_syscallnames = syscallnames, diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c index 1ee4e9b..8279967 100644 --- a/sys/kern/imgact_elf.c +++ b/sys/kern/imgact_elf.c @@ -134,6 +134,21 @@ SYSCTL_INT(_kern_elf32, OID_AUTO, read_exec, CTLFLAG_RW, &i386_read_exec, 0, #endif #endif +static int __elfN(aslr_enabled) = 1; +SYSCTL_INT(__CONCAT(_kern_elf, __ELF_WORD_SIZE), OID_AUTO, + aslr_enabled, CTLFLAG_RWTUN, &__elfN(aslr_enabled), 0, + __XSTRING(__CONCAT(ELF, __ELF_WORD_SIZE)) ": enable aslr"); + +static int __elfN(pie_aslr_enabled) = 1; +SYSCTL_INT(__CONCAT(_kern_elf, __ELF_WORD_SIZE), OID_AUTO, + pie_aslr_enabled, CTLFLAG_RWTUN, &__elfN(pie_aslr_enabled), 0, + __XSTRING(__CONCAT(ELF, __ELF_WORD_SIZE)) ": enable aslr for PIE binaries"); + +static int __elfN(aslr_care_sbrk) = 0; +SYSCTL_INT(__CONCAT(_kern_elf, __ELF_WORD_SIZE), OID_AUTO, + aslr_care_sbrk, CTLFLAG_RW, &__elfN(aslr_care_sbrk), 0, + __XSTRING(__CONCAT(ELF, __ELF_WORD_SIZE)) ": assume sbrk is used"); + static Elf_Brandinfo *elf_brand_list[MAX_BRANDS]; #define trunc_page_ps(va, ps) rounddown2(va, ps) @@ -421,13 +436,14 @@ __elfN(map_partial)(vm_map_t map, vm_object_t object, vm_ooffset_t offset, } static int -__elfN(map_insert)(vm_map_t map, vm_object_t object, vm_ooffset_t offset, - vm_offset_t start, vm_offset_t end, vm_prot_t prot, int cow) +__elfN(map_insert)(struct image_params *imgp, vm_map_t map, vm_object_t object, + vm_ooffset_t offset, vm_offset_t start, vm_offset_t end, vm_prot_t prot, + int cow) { struct sf_buf *sf; vm_offset_t off; vm_size_t sz; - int error, rv; + int error, locked, rv; if (start != trunc_page(start)) { rv = __elfN(map_partial)(map, object, offset, start, @@ -450,10 +466,11 @@ __elfN(map_insert)(vm_map_t map, vm_object_t object, vm_ooffset_t offset, * The mapping is not page aligned. This means we have * to copy the data. Sigh. */ - rv = vm_map_find(map, NULL, 0, &start, end - start, 0, - VMFS_NO_SPACE, prot | VM_PROT_WRITE, VM_PROT_ALL, - 0); - if (rv) + vm_map_lock(map); + rv = vm_map_insert(map, NULL, 0, start, end, + prot | VM_PROT_WRITE, VM_PROT_ALL, 0); + vm_map_unlock(map); + if (rv != KERN_SUCCESS) return (rv); if (object == NULL) return (KERN_SUCCESS); @@ -468,9 +485,8 @@ __elfN(map_insert)(vm_map_t map, vm_object_t object, vm_ooffset_t offset, error = copyout((caddr_t)sf_buf_kva(sf) + off, (caddr_t)start, sz); vm_imgact_unmap_page(sf); - if (error) { + if (error != 0) return (KERN_FAILURE); - } offset += sz; } rv = KERN_SUCCESS; @@ -480,8 +496,12 @@ __elfN(map_insert)(vm_map_t map, vm_object_t object, vm_ooffset_t offset, rv = vm_map_insert(map, object, offset, start, end, prot, VM_PROT_ALL, cow); vm_map_unlock(map); - if (rv != KERN_SUCCESS) + if (rv != KERN_SUCCESS) { + locked = VOP_ISLOCKED(imgp->vp); + VOP_UNLOCK(imgp->vp, 0); vm_object_deallocate(object); + vn_lock(imgp->vp, locked | LK_RETRY); + } } return (rv); } else { @@ -538,7 +558,7 @@ __elfN(load_section)(struct image_params *imgp, vm_offset_t offset, cow = MAP_COPY_ON_WRITE | MAP_PREFAULT | (prot & VM_PROT_WRITE ? 0 : MAP_DISABLE_COREDUMP); - rv = __elfN(map_insert)(map, + rv = __elfN(map_insert)(imgp, map, object, file_addr, /* file offset */ map_addr, /* virtual start */ @@ -568,8 +588,8 @@ __elfN(load_section)(struct image_params *imgp, vm_offset_t offset, /* This had damn well better be true! */ if (map_len != 0) { - rv = __elfN(map_insert)(map, NULL, 0, map_addr, map_addr + - map_len, VM_PROT_ALL, 0); + rv = __elfN(map_insert)(imgp, map, NULL, 0, map_addr, + map_addr + map_len, VM_PROT_ALL, 0); if (rv != KERN_SUCCESS) { return (EINVAL); } @@ -744,6 +764,24 @@ fail: return (error); } +static u_long +__CONCAT(rnd_, __elfN(base))(u_long base, u_long minv, u_long maxv, + u_int align) +{ + u_long rbase, res; + + arc4rand(&rbase, sizeof(rbase), 0); + res = base + rbase % (maxv - minv); + res &= ~((u_long)align - 1); + KASSERT(res >= base, + ("res %#lx < base %#lx, minv %#lx maxv %#lx rbase %#lx", + res, base, minv, maxv, rbase)); + KASSERT(res < maxv, + ("res %#lx > maxv %#lx, minv %#lx base %#lx rbase %#lx", + res, maxv, minv, base, rbase)); + return (res); +} + static int __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp) { @@ -752,6 +790,7 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp) const Elf_Phdr *phdr; Elf_Auxargs *elf_auxargs; struct vmspace *vmspace; + vm_map_t map; const char *err_str, *newinterp; char *interp, *interp_buf, *path; Elf_Brandinfo *brand_info; @@ -759,6 +798,7 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp) vm_prot_t prot; u_long text_size, data_size, total_size, text_addr, data_addr; u_long seg_size, seg_addr, addr, baddr, et_dyn_addr, entry, proghdr; + u_long maxalign, mapsz, maxv; int32_t osrel; int error, i, n, interp_name_len, have_interp; @@ -800,12 +840,17 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp) err_str = newinterp = NULL; interp = interp_buf = NULL; td = curthread; + maxalign = PAGE_SIZE; + mapsz = 0; for (i = 0; i < hdr->e_phnum; i++) { switch (phdr[i].p_type) { case PT_LOAD: if (n == 0) baddr = phdr[i].p_vaddr; + if (phdr[i].p_align > maxalign) + maxalign = phdr[i].p_align; + mapsz += phdr[i].p_memsz; n++; break; case PT_INTERP: @@ -859,6 +904,8 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp) error = ENOEXEC; goto ret; } + sv = brand_info->sysvec; + et_dyn_addr = 0; if (hdr->e_type == ET_DYN) { if ((brand_info->flags & BI_CAN_EXEC_DYN) == 0) { uprintf("Cannot execute shared object\n"); @@ -869,13 +916,17 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp) * Honour the base load address from the dso if it is * non-zero for some reason. */ - if (baddr == 0) - et_dyn_addr = ET_DYN_LOAD_ADDR; - else - et_dyn_addr = 0; - } else - et_dyn_addr = 0; - sv = brand_info->sysvec; + if (baddr == 0) { + if ((sv->sv_flags & SV_ASLR) == 0) + et_dyn_addr = ET_DYN_LOAD_ADDR; + else if ((__elfN(pie_aslr_enabled) && + (imgp->proc->p_flag2 & P2_ASLR_DISABLE) == 0) || + (imgp->proc->p_flag2 & P2_ASLR_ENABLE) != 0) + et_dyn_addr = 1; + else + et_dyn_addr = ET_DYN_LOAD_ADDR; + } + } if (interp != NULL && brand_info->interp_newpath != NULL) newinterp = brand_info->interp_newpath; @@ -894,6 +945,49 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp) error = exec_new_vmspace(imgp, sv); imgp->proc->p_sysent = sv; + vmspace = imgp->proc->p_vmspace; + map = &vmspace->vm_map; + + /* + * Decide to enable randomization of user mappings. First, + * reset user preferences for the setid binaries. Then, + * account for the support of the randomization by the ABI, by + * user preferences, and make special treatment for PIE + * binaries. + */ + if (imgp->credential_setid) { + PROC_LOCK(imgp->proc); + imgp->proc->p_flag2 &= ~(P2_ASLR_ENABLE | P2_ASLR_DISABLE); + PROC_UNLOCK(imgp->proc); + } + if ((sv->sv_flags & SV_ASLR) == 0 || + (imgp->proc->p_flag2 & P2_ASLR_DISABLE) != 0) { + KASSERT(et_dyn_addr != 1, ("et_dyn_addr == 1 and !ASLR")); + } else if ((imgp->proc->p_flag2 & P2_ASLR_ENABLE) != 0 || + (__elfN(aslr_enabled) && hdr->e_type == ET_EXEC) || + et_dyn_addr == 1) { + vm_map_lock(map); + map->flags |= MAP_ASLR; + /* + * If user does not care about sbrk, utilize the bss + * grow region for mappings as well. We can select + * the base for the image anywere and still not suffer + * from the fragmentation. + */ + if (!__elfN(aslr_care_sbrk) || + (imgp->proc->p_flag2 & P2_ASLR_IGNSTART) != 0) + map->flags |= MAP_ASLR_IGNSTART; + vm_map_unlock(map); + } + maxv = vm_map_max(map) - lim_max(td, RLIMIT_STACK); + if (et_dyn_addr == 1) { + KASSERT((map->flags & MAP_ASLR) != 0, + ("et_dyn_addr but !MAP_ASLR")); + et_dyn_addr = __CONCAT(rnd_, __elfN(base))(vm_map_min(map), + vm_map_min(map) + mapsz + lim_max(td, RLIMIT_DATA), + /* reserve half of the address space to interpreter */ + maxv / 2, 1UL << flsl(maxalign)); + } vn_lock(imgp->vp, LK_EXCLUSIVE | LK_RETRY); if (error != 0) @@ -986,7 +1080,6 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp) goto ret; } - vmspace = imgp->proc->p_vmspace; vmspace->vm_tsize = text_size >> PAGE_SHIFT; vmspace->vm_taddr = (caddr_t)(uintptr_t)text_addr; vmspace->vm_dsize = data_size >> PAGE_SHIFT; @@ -1007,6 +1100,11 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp) if (interp != NULL) { have_interp = FALSE; VOP_UNLOCK(imgp->vp, 0); + if ((map->flags & MAP_ASLR) != 0) { + addr = __CONCAT(rnd_, __elfN(base))(addr, addr, + /* Assume that interpeter fits into 1/4 of AS */ + (maxv + addr) / 2, PAGE_SIZE); + } if (brand_info->emul_path != NULL && brand_info->emul_path[0] != '\0') { path = malloc(MAXPATHLEN, M_TEMP, M_WAITOK); diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index 63d855d..c17d041 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -1091,6 +1091,7 @@ exec_new_vmspace(imgp, sv) shmexit(vmspace); pmap_remove_pages(vmspace_pmap(vmspace)); vm_map_remove(map, vm_map_min(map), vm_map_max(map)); + map->flags &= ~(MAP_ASLR | MAP_ASLR_IGNSTART); } else { error = vmspace_exec(p, sv_minuser, sv->sv_maxuser); if (error) diff --git a/sys/kern/kern_fork.c b/sys/kern/kern_fork.c index 035a704..50129a0 100644 --- a/sys/kern/kern_fork.c +++ b/sys/kern/kern_fork.c @@ -497,7 +497,8 @@ do_fork(struct thread *td, struct fork_req *fr, struct proc *p2, struct thread * * Increase reference counts on shared objects. */ p2->p_flag = P_INMEM; - p2->p_flag2 = p1->p_flag2 & (P2_NOTRACE | P2_NOTRACE_EXEC); + p2->p_flag2 = p1->p_flag2 & (P2_NOTRACE | P2_NOTRACE_EXEC | + P2_ASLR_ENABLE | P2_ASLR_DISABLE | P2_ASLR_IGNSTART); p2->p_swtick = ticks; if (p1->p_flag & P_PROFIL) startprofclock(p2); diff --git a/sys/kern/kern_procctl.c b/sys/kern/kern_procctl.c index 8ef72901..76340609 100644 --- a/sys/kern/kern_procctl.c +++ b/sys/kern/kern_procctl.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2014 John Baldwin - * Copyright (c) 2014 The FreeBSD Foundation + * Copyright (c) 2014-2016 The FreeBSD Foundation * * Portions of this software were developed by Konstantin Belousov * under sponsorship from the FreeBSD Foundation. @@ -43,6 +43,11 @@ __FBSDID("$FreeBSD$"); #include #include +#include +#include +#include +#include + static int protect_setchild(struct thread *td, struct proc *p, int flags) { @@ -336,6 +341,62 @@ trace_status(struct thread *td, struct proc *p, int *data) return (0); } +static int +aslr_ctl(struct thread *td, struct proc *p, int state) +{ + + PROC_LOCK_ASSERT(p, MA_OWNED); + + switch (state) { + case PROC_ASLR_FORCE_ENABLE: + p->p_flag2 &= ~P2_ASLR_DISABLE; + p->p_flag2 |= P2_ASLR_ENABLE; + break; + case PROC_ASLR_FORCE_DISABLE: + p->p_flag2 |= P2_ASLR_DISABLE; + p->p_flag2 &= ~P2_ASLR_ENABLE; + break; + case PROC_ASLR_NOFORCE: + p->p_flag2 &= ~(P2_ASLR_ENABLE | P2_ASLR_DISABLE); + break; + default: + return (EINVAL); + } + return (0); +} + +static int +aslr_status(struct thread *td, struct proc *p, int *data) +{ + struct vmspace *vm; + int d; + + switch (p->p_flag2 & (P2_ASLR_ENABLE | P2_ASLR_DISABLE)) { + case 0: + d = PROC_ASLR_NOFORCE; + break; + case P2_ASLR_ENABLE: + d = PROC_ASLR_FORCE_ENABLE; + break; + case P2_ASLR_DISABLE: + d = PROC_ASLR_FORCE_DISABLE; + break; + } + if ((p->p_flag & P_WEXIT) == 0) { + _PHOLD(p); + PROC_UNLOCK(p); + vm = vmspace_acquire_ref(p); + if (vm != NULL && (vm->vm_map.flags & MAP_ASLR) != 0) { + d |= PROC_ASLR_ACTIVE; + vmspace_free(vm); + } + PROC_LOCK(p); + _PRELE(p); + } + *data = d; + return (0); +} + #ifndef _SYS_SYSPROTO_H_ struct procctl_args { idtype_t idtype; @@ -359,6 +420,7 @@ sys_procctl(struct thread *td, struct procctl_args *uap) switch (uap->com) { case PROC_SPROTECT: case PROC_TRACE_CTL: + case PROC_ASLR_CTL: error = copyin(uap->data, &flags, sizeof(flags)); if (error != 0) return (error); @@ -386,6 +448,7 @@ sys_procctl(struct thread *td, struct procctl_args *uap) data = &x.rk; break; case PROC_TRACE_STATUS: + case PROC_ASLR_STATUS: data = &flags; break; default: @@ -403,6 +466,7 @@ sys_procctl(struct thread *td, struct procctl_args *uap) error = error1; break; case PROC_TRACE_STATUS: + case PROC_ASLR_STATUS: if (error == 0) error = copyout(&flags, uap->data, sizeof(flags)); break; @@ -432,6 +496,10 @@ kern_procctl_single(struct thread *td, struct proc *p, int com, void *data) return (trace_ctl(td, p, *(int *)data)); case PROC_TRACE_STATUS: return (trace_status(td, p, data)); + case PROC_ASLR_CTL: + return (aslr_ctl(td, p, *(int *)data)); + case PROC_ASLR_STATUS: + return (aslr_status(td, p, data)); default: return (EINVAL); } @@ -452,6 +520,8 @@ kern_procctl(struct thread *td, idtype_t idtype, id_t id, int com, void *data) case PROC_REAP_GETPIDS: case PROC_REAP_KILL: case PROC_TRACE_STATUS: + case PROC_ASLR_CTL: + case PROC_ASLR_STATUS: if (idtype != P_PID) return (EINVAL); } @@ -471,6 +541,8 @@ kern_procctl(struct thread *td, idtype_t idtype, id_t id, int com, void *data) tree_locked = true; break; case PROC_TRACE_STATUS: + case PROC_ASLR_CTL: + case PROC_ASLR_STATUS: tree_locked = false; break; default: diff --git a/sys/sys/proc.h b/sys/sys/proc.h index f124d8f..8f83b38 100644 --- a/sys/sys/proc.h +++ b/sys/sys/proc.h @@ -707,6 +707,9 @@ struct proc { #define P2_NOTRACE_EXEC 0x00000004 /* Keep P2_NOPTRACE on exec(2). */ #define P2_AST_SU 0x00000008 /* Handles SU ast for kthreads. */ #define P2_LWP_EVENTS 0x00000010 /* Report LWP events via ptrace(2). */ +#define P2_ASLR_ENABLE 0x00000020 /* Force enable ASLR. */ +#define P2_ASLR_DISABLE 0x00000040 /* Force disable ASLR. */ +#define P2_ASLR_IGNSTART 0x00000080 /* Enable ASLR to consume sbrk area. */ /* Flags protected by proctree_lock, kept in p_treeflags. */ #define P_TREE_ORPHANED 0x00000001 /* Reparented, on orphan list */ diff --git a/sys/sys/procctl.h b/sys/sys/procctl.h index c6f1e94..de6f0d7 100644 --- a/sys/sys/procctl.h +++ b/sys/sys/procctl.h @@ -43,6 +43,8 @@ #define PROC_REAP_KILL 6 /* kill descendants */ #define PROC_TRACE_CTL 7 /* en/dis ptrace and coredumps */ #define PROC_TRACE_STATUS 8 /* query tracing status */ +#define PROC_ASLR_CTL 9 /* en/dis ASLR */ +#define PROC_ASLR_STATUS 10 /* query ASLR status */ /* Operations for PROC_SPROTECT (passed in integer arg). */ #define PPROT_OP(x) ((x) & 0xf) @@ -102,6 +104,11 @@ struct procctl_reaper_kill { #define PROC_TRACE_CTL_DISABLE 2 #define PROC_TRACE_CTL_DISABLE_EXEC 3 +#define PROC_ASLR_FORCE_ENABLE 1 +#define PROC_ASLR_FORCE_DISABLE 2 +#define PROC_ASLR_NOFORCE 3 +#define PROC_ASLR_ACTIVE 0x80000000 + #ifndef _KERNEL __BEGIN_DECLS int procctl(idtype_t, id_t, int, void *); diff --git a/sys/sys/sysent.h b/sys/sys/sysent.h index 25dc940..5db98db 100644 --- a/sys/sys/sysent.h +++ b/sys/sys/sysent.h @@ -138,7 +138,8 @@ struct sysentvec { #define SV_AOUT 0x008000 /* a.out executable. */ #define SV_SHP 0x010000 /* Shared page. */ #define SV_CAPSICUM 0x020000 /* Force cap_enter() on startup. */ -#define SV_TIMEKEEP 0x040000 +#define SV_TIMEKEEP 0x040000 /* Shared page timehands. */ +#define SV_ASLR 0x080000 /* ASLR allowed. */ #define SV_ABI_MASK 0xff #define SV_ABI_ERRNO(p, e) ((p)->p_sysent->sv_errsize <= 0 ? e : \ diff --git a/sys/vm/vm_map.c b/sys/vm/vm_map.c index 18404f8..953167f 100644 --- a/sys/vm/vm_map.c +++ b/sys/vm/vm_map.c @@ -1470,6 +1470,20 @@ vm_map_fixed(vm_map_t map, vm_object_t object, vm_ooffset_t offset, return (result); } +static const int aslr_pages_rnd_64[2] = {0x1000, 0x10}; +static const int aslr_pages_rnd_32[2] = {0x100, 0x4}; + +static int aslr_sloppiness = 5; +SYSCTL_INT(_vm, OID_AUTO, aslr_sloppiness, CTLFLAG_RW, &aslr_sloppiness, 0, + ""); + +static int aslr_collapse_anon = 1; +SYSCTL_INT(_vm, OID_AUTO, aslr_collapse_anon, CTLFLAG_RW, + &aslr_collapse_anon, 0, + ""); + +#define MAP_32BIT_MAX_ADDR ((vm_offset_t)1 << 31) + /* * vm_map_find finds an unallocated region in the target address * map with the given length. The search is defined to be @@ -1485,8 +1499,11 @@ vm_map_find(vm_map_t map, vm_object_t object, vm_ooffset_t offset, vm_size_t length, vm_offset_t max_addr, int find_space, vm_prot_t prot, vm_prot_t max, int cow) { - vm_offset_t alignment, initial_addr, start; - int result; + vm_map_entry_t prev_entry; + vm_offset_t alignment, addr_save, start, start1, rand_max, re; + const int *aslr_pages_rnd; + int result, do_aslr, pidx; + bool en_aslr, anon; KASSERT((cow & (MAP_STACK_GROWS_DOWN | MAP_STACK_GROWS_UP)) == 0 || object == NULL, @@ -1499,21 +1516,86 @@ vm_map_find(vm_map_t map, vm_object_t object, vm_ooffset_t offset, alignment = (vm_offset_t)1 << (find_space >> 8); } else alignment = 0; - initial_addr = *addr; + do_aslr = (map->flags & MAP_ASLR) != 0 ? aslr_sloppiness : 0; + en_aslr = do_aslr != 0; + anon = object == NULL && (cow & (MAP_INHERIT_SHARE | + MAP_STACK_GROWS_UP | MAP_STACK_GROWS_DOWN)) == 0 && + prot != PROT_NONE && aslr_collapse_anon; + addr_save = *addr; + if (en_aslr) { + if (vm_map_max(map) > MAP_32BIT_MAX_ADDR && + (max_addr == 0 || max_addr > MAP_32BIT_MAX_ADDR)) + aslr_pages_rnd = aslr_pages_rnd_64; + else + aslr_pages_rnd = aslr_pages_rnd_32; + if (find_space != VMFS_NO_SPACE && (map->flags & + MAP_ASLR_IGNSTART) != 0) { + start = anon ? map->anon_loc : vm_map_min(map); + } else { + start = anon && *addr == 0 ? map->anon_loc : addr_save; + } + } else { + start = addr_save; + } + start1 = start; /* for again_any_space restart */ again: - start = initial_addr; + if (en_aslr && (do_aslr == 0 || (anon && + do_aslr == aslr_sloppiness - 1))) { + /* + * We are either at the last aslr iteration, or anon + * coalescing failed on the first try. Retry with + * free run. + */ + if ((map->flags & MAP_ASLR_IGNSTART) != 0) + start = vm_map_min(map); + else + start = addr_save; + } +again_any_space: vm_map_lock(map); do { if (find_space != VMFS_NO_SPACE) { if (vm_map_findspace(map, start, length, addr) || (max_addr != 0 && *addr + length > max_addr)) { vm_map_unlock(map); + if (do_aslr > 0) { + do_aslr--; + goto again; + } if (find_space == VMFS_OPTIMAL_SPACE) { find_space = VMFS_ANY_SPACE; - goto again; + start = start1; + goto again_any_space; } return (KERN_NO_SPACE); } + /* + * The R step for ASLR. But skip it if we are + * trying to coalesce anon memory request. + */ + if (do_aslr > 0 && + !(anon && do_aslr == aslr_sloppiness)) { + vm_map_lookup_entry(map, *addr, &prev_entry); + if (MAXPAGESIZES > 1 && pagesizes[1] != 0 && + (find_space == VMFS_SUPER_SPACE || + find_space == VMFS_OPTIMAL_SPACE)) + pidx = 1; + else + pidx = 0; + re = prev_entry->next == &map->header ? + map->max_offset : prev_entry->next->start; + rand_max = ((max_addr != 0 && re > max_addr) ? + max_addr : re) - *addr - length; + rand_max /= pagesizes[pidx]; + if (rand_max < aslr_pages_rnd[pidx]) { + vm_map_unlock(map); + start = re; + do_aslr--; + goto again; + } + *addr += (arc4random() % rand_max) * + pagesizes[pidx]; + } switch (find_space) { case VMFS_SUPER_SPACE: case VMFS_OPTIMAL_SPACE: @@ -1529,7 +1611,6 @@ again: } break; } - start = *addr; } if ((cow & (MAP_STACK_GROWS_DOWN | MAP_STACK_GROWS_UP)) != 0) { @@ -1539,8 +1620,15 @@ again: result = vm_map_insert(map, object, offset, start, start + length, prot, max, cow); } + if (result != KERN_SUCCESS && do_aslr > 0) { + vm_map_unlock(map); + do_aslr--; + goto again; + } } while (result == KERN_NO_SPACE && find_space != VMFS_NO_SPACE && find_space != VMFS_ANY_SPACE); + if (result == KERN_SUCCESS && anon) + map->anon_loc = *addr + length; vm_map_unlock(map); return (result); } @@ -3049,6 +3137,9 @@ vm_map_delete(vm_map_t map, vm_offset_t start, vm_offset_t end) pmap_remove(map->pmap, entry->start, entry->end); + if (entry->end == map->anon_loc) + map->anon_loc = entry->prev->end; + /* * Delete the entry only after removing all pmap * entries pointing to its pages. (Otherwise, its diff --git a/sys/vm/vm_map.h b/sys/vm/vm_map.h index 2c0a4ad..ffc9fd8 100644 --- a/sys/vm/vm_map.h +++ b/sys/vm/vm_map.h @@ -190,6 +190,7 @@ struct vm_map { pmap_t pmap; /* (c) Physical map */ #define min_offset header.start /* (c) */ #define max_offset header.end /* (c) */ + vm_offset_t anon_loc; int busy; }; @@ -198,6 +199,8 @@ struct vm_map { */ #define MAP_WIREFUTURE 0x01 /* wire all future pages */ #define MAP_BUSY_WAKEUP 0x02 +#define MAP_ASLR 0x04 /* enabled ASLR */ +#define MAP_ASLR_IGNSTART 0x08 #ifdef _KERNEL static __inline vm_offset_t diff --git a/usr.bin/proccontrol/Makefile b/usr.bin/proccontrol/Makefile new file mode 100644 index 0000000..c11c412 --- /dev/null +++ b/usr.bin/proccontrol/Makefile @@ -0,0 +1,7 @@ +# $FreeBSD$ + +PROG= proccontrol +WARNS?= 6 +MK_MAN=no + +.include diff --git a/usr.bin/proccontrol/proccontrol.c b/usr.bin/proccontrol/proccontrol.c new file mode 100644 index 0000000..1f36bbd --- /dev/null +++ b/usr.bin/proccontrol/proccontrol.c @@ -0,0 +1,187 @@ +/*- + * Copyright (c) 2016 The FreeBSD Foundation + * All rights reserved. + * + * This software was developed by Konstantin Belousov + * under sponsorship from the FreeBSD Foundation. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include +__FBSDID("$FreeBSD$"); + +#include +#include +#include +#include +#include +#include +#include + +enum { + MODE_INVALID, + MODE_TRACE, + MODE_ASLR, +}; + +static pid_t +str2pid(const char *str) +{ + pid_t res; + char *tail; + + res = strtol(str, &tail, 0); + if (*tail != '\0') { + warnx("non-numeric pid"); + return (-1); + } + return (res); +} + +static void __dead2 +usage(void) +{ + + fprintf(stderr, "Usage: proccontrol -m (trace|aslr) [-q] " + "[-s (enable|disable)] [-p pid | command]\n"); + exit(1); +} + +int +main(int argc, char *argv[]) +{ + int arg, ch, error, mode; + pid_t pid; + bool enable, do_command, query; + + mode = MODE_INVALID; + enable = true; + pid = -1; + query = false; + while ((ch = getopt(argc, argv, "m:qs:p:")) != -1) { + switch (ch) { + case 'm': + if (strcmp(optarg, "trace") == 0) + mode = MODE_TRACE; + else if (strcmp(optarg, "aslr") == 0) + mode = MODE_ASLR; + else + usage(); + break; + case 's': + if (strcmp(optarg, "enable") == 0) + enable = true; + else if (strcmp(optarg, "disable") == 0) + enable = false; + else + usage(); + break; + case 'p': + pid = str2pid(optarg); + break; + case 'q': + query = true; + break; + case '?': + default: + usage(); + break; + } + } + argc -= optind; + argv += optind; + do_command = argc != 0; + if (do_command) { + if (pid != -1 || query) + usage(); + pid = getpid(); + } else if (pid == -1) { + pid = getpid(); + } + + if (query) { + switch (mode) { + case MODE_TRACE: + error = procctl(P_PID, pid, PROC_TRACE_STATUS, &arg); + break; + case MODE_ASLR: + error = procctl(P_PID, pid, PROC_ASLR_STATUS, &arg); + break; + default: + usage(); + break; + } + if (error != 0) + err(1, "procctl status"); + switch (mode) { + case MODE_TRACE: + if (arg == -1) + printf("disabled\n"); + else if (arg == 0) + printf("enabled, no debugger\n"); + else + printf("enabled, traced by %d\n", arg); + break; + case MODE_ASLR: + switch (arg & ~PROC_ASLR_ACTIVE) { + case PROC_ASLR_FORCE_ENABLE: + printf("force enabled"); + break; + case PROC_ASLR_FORCE_DISABLE: + printf("force disabled"); + break; + case PROC_ASLR_NOFORCE: + printf("not forced"); + break; + } + if ((arg & PROC_ASLR_ACTIVE) != 0) + printf(", active\n"); + else + printf(", not active\n"); + break; + } + } else { + switch (mode) { + case MODE_TRACE: + arg = enable ? PROC_TRACE_CTL_ENABLE : + PROC_TRACE_CTL_DISABLE; + error = procctl(P_PID, pid, PROC_TRACE_CTL, &arg); + break; + case MODE_ASLR: + arg = enable ? PROC_ASLR_FORCE_ENABLE : + PROC_ASLR_FORCE_DISABLE; + error = procctl(P_PID, pid, PROC_ASLR_CTL, &arg); + break; + default: + usage(); + break; + } + if (error != 0) + err(1, "procctl ctl"); + if (do_command) { + error = execvp(argv[0], argv); + err(1, "exec"); + } + } + exit(0); +}